Commit 5b2368cf authored by rdevlin.cronin's avatar rdevlin.cronin Committed by Commit bot

Fix use-after-free in BrowserActionView::~BrowserActionView()

BrowserActionView::~BrowserActionView deletes ExtensionActionViewController,
which calls CleanupPopup, which resets a MenuButton::PressedLock, which was
already deleted. Fix the order of destruction.

BUG=418737

Review URL: https://codereview.chromium.org/615543006

Cr-Commit-Position: refs/heads/master@{#297325}
parent 3967c432
...@@ -169,6 +169,12 @@ class BrowserActionView : public views::MenuButton, ...@@ -169,6 +169,12 @@ class BrowserActionView : public views::MenuButton,
virtual void OnPopupShown(bool grant_tab_permissions) OVERRIDE; virtual void OnPopupShown(bool grant_tab_permissions) OVERRIDE;
virtual void CleanupPopup() OVERRIDE; virtual void CleanupPopup() OVERRIDE;
// A lock to keep the MenuButton pressed when a menu or popup is visible.
// This needs to be destroyed after |view_controller_|, because
// |view_controller_|'s destructor can call CleanupPopup(), which uses this
// object.
scoped_ptr<views::MenuButton::PressedLock> pressed_lock_;
// The controller for this ExtensionAction view. // The controller for this ExtensionAction view.
scoped_ptr<ExtensionActionViewController> view_controller_; scoped_ptr<ExtensionActionViewController> view_controller_;
...@@ -184,9 +190,6 @@ class BrowserActionView : public views::MenuButton, ...@@ -184,9 +190,6 @@ class BrowserActionView : public views::MenuButton,
// updated. // updated.
IconObserver* icon_observer_; IconObserver* icon_observer_;
// A lock to keep the MenuButton pressed when a menu or popup is visible.
scoped_ptr<views::MenuButton::PressedLock> pressed_lock_;
DISALLOW_COPY_AND_ASSIGN(BrowserActionView); DISALLOW_COPY_AND_ASSIGN(BrowserActionView);
}; };
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment